Multiple vulnerabilities in Ansible Automation Platform 2.4 packages



Published: 2024-06-19
Risk High
Patch available YES
Number of vulnerabilities 20
CVE-ID CVE-2024-30251
CVE-2024-27351
CVE-2023-5752
CVE-2024-3772
CVE-2024-28849
CVE-2024-27306
CVE-2024-21503
CVE-2024-26130
CVE-2023-49083
CVE-2024-1135
CVE-2024-3651
CVE-2024-34064
CVE-2024-28219
CVE-2023-50447
CVE-2024-35195
CVE-2024-32879
CVE-2024-4340
CVE-2024-24783
CVE-2023-45288
CVE-2023-45290
CWE-ID CWE-835
CWE-1333
CWE-77
CWE-185
CWE-200
CWE-79
CWE-20
CWE-476
CWE-444
CWE-400
CWE-119
CWE-94
CWE-254
CWE-178
CWE-674
CWE-388
Exploitation vector Network
Public exploit Public exploit code for vulnerability #19 is available.
Vulnerable software
Subscribe 		python3x-sqlparse (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-social-auth-app-django (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-requests (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-pydantic (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-pyOpenSSL (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-pulpcore (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-pulp-ansible (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-pillow (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-jinja2 (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-idna (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-gunicorn (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-galaxy-ng (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-cryptography (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-black (Red Hat package)
Operating systems & Components / Operating system package or component

python3x-aiohttp (Red Hat package)
Operating systems & Components / Operating system package or component

receptor (Red Hat package)
Operating systems & Components / Operating system package or component

python-sqlparse (Red Hat package)
Operating systems & Components / Operating system package or component

python-social-auth-app-django (Red Hat package)
Operating systems & Components / Operating system package or component

python-requests (Red Hat package)
Operating systems & Components / Operating system package or component

python-pydantic (Red Hat package)
Operating systems & Components / Operating system package or component

python-pyOpenSSL (Red Hat package)
Operating systems & Components / Operating system package or component

python-pulpcore (Red Hat package)
Operating systems & Components / Operating system package or component

python-pulp-ansible (Red Hat package)
Operating systems & Components / Operating system package or component

python-pillow (Red Hat package)
Operating systems & Components / Operating system package or component

python-jinja2 (Red Hat package)
Operating systems & Components / Operating system package or component

python-idna (Red Hat package)
Operating systems & Components / Operating system package or component

python-gunicorn (Red Hat package)
Operating systems & Components / Operating system package or component

python-galaxy-ng (Red Hat package)
Operating systems & Components / Operating system package or component

python-cryptography (Red Hat package)
Operating systems & Components / Operating system package or component

python-black (Red Hat package)
Operating systems & Components / Operating system package or component

python-aiohttp (Red Hat package)
Operating systems & Components / Operating system package or component

automation-hub (Red Hat package)
Operating systems & Components / Operating system package or component

automation-eda-controller (Red Hat package)
Operating systems & Components / Operating system package or component

automation-controller (Red Hat package)
Operating systems & Components / Operating system package or component

ansible-rulebook (Red Hat package)
Operating systems & Components / Operating system package or component

ansible-core (Red Hat package)
Operating systems & Components / Operating system package or component

ansible-automation-platform-installer (Red Hat package)
Operating systems & Components / Operating system package or component

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains information about 20 vulnerabilities.

1) Infinite loop

EUVDB-ID: #VU89159

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-30251

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker can send a specially crafted POST request, consume all available system resources and cause denial of service conditions.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Inefficient regular expression complexity

EUVDB-ID: #VU87033

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-27351

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in django.utils.text.Truncator.words(). A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Command Injection

EUVDB-ID: #VU84849

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-5752

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper input validation when installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip. A remote attacker who controls the repository can use the specified Mercurial revision to inject arbitrary configuration options to the "hg clone" call (ie "--config").

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Incorrect Regular Expression

EUVDB-ID: #VU88853

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-3772

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted email string to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

EUVDB-ID: #VU87551

Risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-28849

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to credentials are shared via headers when following cross-domain redirects. A remote attacker can gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site scripting

EUVDB-ID: #VU88804

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-27306

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the web.static(..., show_index=True) method in index pages for static file handling. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Input validation error

EUVDB-ID: #VU87583

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-21503

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) NULL pointer dereference

EUVDB-ID: #VU87129

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-26130

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) NULL pointer dereference

EUVDB-ID: #VU83930

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-49083

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error when calling the load_pem_pkcs7_certificates() or load_der_pkcs7_certificates() functions. A remote attacker can pass specially crafted PKCS7 blob/certificate certificate to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU89167

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-1135

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests when handling Transfer-Encoding headers. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Resource exhaustion

EUVDB-ID: #VU88828

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-3651

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the idna.encode() function. A remote attacker can pass an overly long domain name to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Cross-site scripting

EUVDB-ID: #VU89677

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-34064

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data within the "xmlattr" filter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Buffer overflow

EUVDB-ID: #VU88063

Risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-28219

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in "_imagingcms.c". A remote user can trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Code Injection

EUVDB-ID: #VU85743

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-50447

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the PIL.ImageMath.eval function. A remote attacker can send a specially crafted input to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Security features bypass

EUVDB-ID: #VU90156

Risk: Low

CVSSv3.1: 4.9 [CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-35195

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to the session object does not verify requests after making first request with verify=False. A local administrator can bypass authentication.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Improper Handling of Case Sensitivity

EUVDB-ID: #VU89132

Risk: Medium

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-32879

CWE-ID: CWE-178 - Improper Handling of Case Sensitivity

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to default case-insensitive collation in MySQL or MariaDB databases. A remote user can bypass authentication process and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Uncontrolled Recursion

EUVDB-ID: #VU89381

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-4340

CWE-ID: CWE-674 - Uncontrolled Recursion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an uncontrolled recursion when processing a heavily nested list in sqlparse.parse(). A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Error Handling

EUVDB-ID: #VU87196

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-24783

CWE-ID: CWE-388 - Error Handling

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in crypto/x509 due to improper validation of a certificate chain that contains an unknown public key. A remote attacker can pass a specially crafted certificate to the application and perform a denial of service attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Resource exhaustion

EUVDB-ID: #VU88184

Risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2023-45288

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single HTTP/2 stream. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

20) Resource exhaustion

EUVDB-ID: #VU87197

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-45290

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in net/http due to application does not properly control consumption of internal resources when parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile). A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

python3x-sqlparse (Red Hat package): before 0.5.0-1.el8ap

python3x-social-auth-app-django (Red Hat package): before 5.4.1-1.el8ap

python3x-requests (Red Hat package): before 2.32.2-1.el8ap

python3x-pydantic (Red Hat package): before 1.10.15-1.el8ap

python3x-pyOpenSSL (Red Hat package): before 24.1.0-1.el8ap

python3x-pulpcore (Red Hat package): before 3.28.27-1.el8ap

python3x-pulp-ansible (Red Hat package): before 0.20.7-1.el8ap

python3x-pillow (Red Hat package): before 10.3.0-1.el8ap

python3x-jinja2 (Red Hat package): before 3.1.4-1.el8ap

python3x-idna (Red Hat package): before 3.7-1.el8ap

python3x-gunicorn (Red Hat package): before 22.0.0-1.el8ap

python3x-galaxy-ng (Red Hat package): before 4.9.2-1.el8ap

python3x-cryptography (Red Hat package): before 42.0.5-1.el8ap

python3x-black (Red Hat package): before 22.8.0-2.el8ap

python3x-aiohttp (Red Hat package): before 3.9.5-1.el8ap

receptor (Red Hat package): before 1.4.8-1.el9ap

python-sqlparse (Red Hat package): before 0.5.0-1.el9ap

python-social-auth-app-django (Red Hat package): before 5.4.1-1.el9ap

python-requests (Red Hat package): before 2.32.2-1.el9ap

python-pydantic (Red Hat package): before 1.10.15-1.el9ap

python-pyOpenSSL (Red Hat package): before 24.1.0-1.el9ap

python-pulpcore (Red Hat package): before 3.28.27-1.el9ap

python-pulp-ansible (Red Hat package): before 0.20.7-1.el9ap

python-pillow (Red Hat package): before 10.3.0-1.el9ap

python-jinja2 (Red Hat package): before 3.1.4-1.el9ap

python-idna (Red Hat package): before 3.7-1.el9ap

python-gunicorn (Red Hat package): before 22.0.0-1.el9ap

python-galaxy-ng (Red Hat package): before 4.9.2-1.el9ap

python-cryptography (Red Hat package): before 42.0.5-1.el9ap

python-black (Red Hat package): before 22.8.0-2.el9ap

python-aiohttp (Red Hat package): before 3.9.5-1.el9ap

automation-hub (Red Hat package): before 4.9.2-1.el9ap

automation-eda-controller (Red Hat package): before 1.0.7-1.el9ap

automation-controller (Red Hat package): before 4.5.7-1.el9ap

ansible-rulebook (Red Hat package): before 1.0.7-1.el9ap

ansible-core (Red Hat package): before 2.15.11-1.el9ap

ansible-automation-platform-installer (Red Hat package): before 2.4-7.1.el9ap

External links

http://access.redhat.com/errata/RHSA-2024:3781


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###